Mobile apps transmit unencrypted user data due to insecure SDKs

Kaspersky researchers have mobile apps with millions of subscriptions which risk user information due to advertising SDKs.
Written by Charlie Osborne, Contributing Writer

A number of popular mobile applications are transmitting unencrypted user data due to the use of insecure advertising Software Development Kits (SDKs).

Advertising is critical to many online and app-based services. Without advertising in free versions, developers miss out on crucial revenue which is required for support and improvements.

An easy way to integrate advertising into mobile applications is through the use of SDKs. These development tools, often free and offered by third-parties, can collect user information to display relevant and targeted ads -- but non-secure SDKs can impact the security of applications which use them.

On Tuesday, Kaspersky Lab researchers presented an investigation into insecure SDKs at the RSA Conference in San Francisco.

The researchers said that while analyzing a number of popular dating applications, they discovered that some of the apps in question transmit unencrypted user data over the HTTP protocol due to poorly-secured SDKs.

"They collect user data so they can show relevant ads, but often fail to protect that data when sending it to their servers," says Roman Unuchek, Kaspersky Lab security researcher.

HTTP is far less secure than HTTPS as transmitted information is not encrypted. By transmitting user data over HTTP for ad targeting, these apps are potentially exposing user information to abuse, theft, eavesdropping, and Man-in-The-Middle (MITM) attacks, among other attacks.

"The intercepted data can be modified, meaning the application will show malicious ads instead of legitimate ones," the researchers said. "Users will then be enticed to download a promoted application, which will turn out to be malware, putting them at risk."

According to Kaspersky, the apps involved included some with millions of installations worldwide.

HTTPS was in use when apps were communicating with their servers, but at the same time, HTTP requests were also being sent to third-party advertising network servers.

The apps analyzed all transmit at least one of the following pieces of information in an unencrypted fashion; names, ages, genders, user income, phone numbers, email addresses, device information, and device GPS locations.

The most common, connected website domains used by ad networks which exposed data through these requests included mopub.com, rayjump.com, tappas.net, Nexage.com, and appsgeyser.com.

"The scale of what we first thought was just specific cases of careless application design is overwhelming," says Unuchek. "Millions of applications include third-party SDKs, exposing private data that can be easily intercepted and modified -- leading to malware infections, blackmail and other highly effective attack vectors on your devices."

See also: Ancient EITest infection chain sinkholed by security teams

According to Kaspersky research, as of January this year, 63 percent of mobile apps have now made the switch from HTTP to HTTPS. However, close to 90 percent of these apps are still also using HTTP in some processes and systems, and many of them are transmitting unencrypted information.

It is up to developers to make the switch fully and to enable encryption for the sake of security and user privacy.

However, in the meantime, users should keep an eye on their app permissions and what they are allowing their apps to do and access, and they may also want to consider using a virtual private network (VPN) service to encrypt traffic between devices and servers.

Android, iOS mobile apps to download before disaster strikes

Previous and related coverage

Editorial standards